imagemagick: New format string vulnerability in SetImageInfo().

Bug #27952 reported by Debian Bug Importer on 2006-01-04
4
Affects Status Importance Assigned to Milestone
imagemagick (Debian)
Fix Released
Unknown
imagemagick (Ubuntu)
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #345876 http://bugs.debian.org/345876

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #345876 http://bugs.debian.org/345876

Debian Bug Importer (debzilla) wrote :
Download full text (3.2 KiB)

Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 02:05:20 +0100
From: Daniel Kobras <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imagemagick: New format string vulnerability in SetImageInfo().

--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: imagemagick
Version: 6:6.2.3.0-1
Severity: grave
Tags: security patch
Justification: user security hole

Specially crafted file names cause programs using ImageMagick to crash
due to a format string vulnerability. It might be possible to execute
arbitrary code due to this bug.

I've discovered the vulnerability while investigating the upstream fix
for #297990 (CAN-2005-0397). It turns out that this fix is buggy and
doesn't plug the security hole. Originally, the format string
vulnerability could be demonstrated with

convert foo.jpg foo%n.jpg # (or several %n until overflow happens)

Now all we need is one additional, valid, numeric format string, eg.

convert foo.jpg foo%d%n.jpg # (or several %n until overflow happens)

The new code just checks for the presence of any of %%, %d, %o, or %x.
If one if them is found, it passes the rest of the string as a format
string to an sprintf()-style function just like in the CAN-2005-0397
vulnerability. It all happens in SetImageInfo() that is usually called
on the target filename in write operations, eg. the target filename of a
'convert'.

I'm not sure which upstream version was the first to contain this new
incarnation of the vulnerability, but 6:6.2.3.0-1 was the first that
appeared in Debian. While sarge contains an earlier version, etch and
sid are affected. As this is really is a new vulnerability, I assume
CAN-2005-0397 should not be reused. Security team, can you please
confirm and possibly provide a new CVE ID?

I'm attaching an untested patch that should give an idea on how to plug
this hole once and for all. Note that the original fix that went into
sarge was buggy as well: The code is actually supposed to expand an
optional numeric format specifier to support multi-frame images. The
sarge security patch broke this by preventing any format string
expansion, but that's a different story.

Regards,

Daniel.

--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename=diff

diff -rN -u old-imagemagick/magick/image.c new-imagemagick/magick/image.c
--- old-imagemagick/magick/image.c 2006-01-04 01:23:29.000000000 +0100
+++ new-imagemagick/magick/image.c 2006-01-04 01:23:31.000000000 +0100
@@ -2881,8 +2881,16 @@
             char
               format[MaxTextExtent];

+ /* Extract first numeric format specifier */
             (void) CopyMagickString(format,p,MaxTextExtent);
+ if (q-p+1 < MaxTextExtent)
+ format[q-p+1]='\0';
+ /* Expand format */
             (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
+ /* Copy rest of string verbatim without further expansion */
+ (void) ConcatenateMagickString(filename,
+ image_info->filename+(q-filename)+1,
+ MaxTextExtent);
             break;
           }
 ...

Read more...

The same code is repeated in blob.c. Here is a more complete fix.

On Wed, Jan 04, 2006 at 12:04:46PM -0500, Matthias Clasen wrote:
> The same code is repeated in blob.c. Here is a more complete fix.

Thanks a lot! Still not complete, though. I just noticed that animate.c
(or command.c in graphicsmagick) is affected in a similar way. There
might be even more of those lurking...

Regards,

Daniel.

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 12:04:46 -0500
From: Matthias Clasen <email address hidden>
To: <email address hidden>
Subject: a more complete fix

--=-Ejo0oJ5KgxoXRs4ep7Hm
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

The same code is repeated in blob.c. Here is a more complete fix.

--=-Ejo0oJ5KgxoXRs4ep7Hm
Content-Disposition: attachment; filename=ImageMagick-6.2.5-format-string-again.patch
Content-Type: text/x-patch; name=ImageMagick-6.2.5-format-string-again.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

--- ImageMagick-6.2.5/magick/image.c.format-string-again 2005-10-22 12:17:39.000000000 -0400
+++ ImageMagick-6.2.5/magick/image.c 2006-01-04 11:37:30.000000000 -0500
@@ -2861,8 +2861,16 @@
             char
               format[MaxTextExtent];

+ /* Extract first numeric format specifier */
             (void) CopyMagickString(format,p,MaxTextExtent);
+ if (q-p+1 < MaxTextExtent)
+ format[q-p+1]='\0';
+ /* Expand format */
             (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
+ /* Copy rest of string verbatim without further expansion */
+ (void) ConcatenateMagickString(filename,
+ image_info->filename+(q-filename)+1,
+ MaxTextExtent);
             break;
           }
       }
--- ImageMagick-6.2.5/magick/blob.c.format-string-again 2006-01-04 11:36:02.000000000 -0500
+++ ImageMagick-6.2.5/magick/blob.c 2006-01-04 11:37:32.000000000 -0500
@@ -2135,8 +2135,17 @@
             char
               format[MaxTextExtent];

+ /* Extract first numeric format specifier */
             (void) CopyMagickString(format,p,MaxTextExtent);
+ if (q-p+1 < MaxTextExtent)
+ format[q-p+1]='\0';
+ /* Expand format */
             (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
+ /* Copy rest of string verbatim without further expansion */
+ (void) ConcatenateMagickString(filename,
+ image_info->filename+(q-filename)+1,
+ MaxTextExtent);
+
             break;
           }
       }

--=-Ejo0oJ5KgxoXRs4ep7Hm--

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 18:47:47 +0100
From: Daniel Kobras <email address hidden>
To: Matthias Clasen <email address hidden>, <email address hidden>
Subject: Re: Bug#345876: a more complete fix

On Wed, Jan 04, 2006 at 12:04:46PM -0500, Matthias Clasen wrote:
> The same code is repeated in blob.c. Here is a more complete fix.

Thanks a lot! Still not complete, though. I just noticed that animate.c
(or command.c in graphicsmagick) is affected in a similar way. There
might be even more of those lurking...

Regards,

Daniel.

I don't doubt that there are more vulnerabilities lurking in
ImageMagick, but I don't see how this same problem occurs in
animate.c...

Matthias

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 13:54:29 -0500
From: Matthias Clasen <email address hidden>
To: <email address hidden>
Subject: animate.c

I don't doubt that there are more vulnerabilities lurking in
ImageMagick, but I don't see how this same problem occurs in
animate.c...

Matthias

On Wed, Jan 04, 2006 at 01:54:29PM -0500, Matthias Clasen wrote:
> I don't doubt that there are more vulnerabilities lurking in
> ImageMagick, but I don't see how this same problem occurs in
> animate.c...

Which version are you looking at? The code in question recently moved
from magick/animate.c to wand/animate.c. Anyway, the underlying problem
is the same in all cases: A single numeric format expansion should be
allowed in user-supplied strings. In animate.c, look for a call to
FormatMagickString() following a comment "Form filename for multi-part
images.". The format string is taken verbatim from the command line.
Admittedly though, animate will rarely be called from scripts or as a
mime handler, so the security impact is quite low compared to, say,
convert.

Regards,

Daniel.

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 13:37:02 +0100
From: Daniel Kobras <email address hidden>
To: Matthias Clasen <email address hidden>, <email address hidden>
Subject: Re: Bug#345876: animate.c

On Wed, Jan 04, 2006 at 01:54:29PM -0500, Matthias Clasen wrote:
> I don't doubt that there are more vulnerabilities lurking in
> ImageMagick, but I don't see how this same problem occurs in
> animate.c...

Which version are you looking at? The code in question recently moved
from magick/animate.c to wand/animate.c. Anyway, the underlying problem
is the same in all cases: A single numeric format expansion should be
allowed in user-supplied strings. In animate.c, look for a call to
FormatMagickString() following a comment "Form filename for multi-part
images.". The format string is taken verbatim from the command line.
Admittedly though, animate will rarely be called from scripts or as a
mime handler, so the security impact is quite low compared to, say,
convert.

Regards,

Daniel.

Ah, got it now. Does this look more complete ?

Debian Bug Importer (debzilla) wrote :
Download full text (3.5 KiB)

Message-Id: <email address hidden>
Date: Mon, 09 Jan 2006 10:18:13 -0500
From: Matthias Clasen <email address hidden>
To: <email address hidden>
Subject:

--=-cZaZ+yaIEggWEBtcfLKc
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Ah, got it now. Does this look more complete ?

--=-cZaZ+yaIEggWEBtcfLKc
Content-Disposition: attachment; filename=ImageMagick-6.2.5-format-string-again.patch
Content-Type: text/x-patch; name=ImageMagick-6.2.5-format-string-again.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

--- ImageMagick-6.2.5/magick/image.c.format-string-again 2005-10-22 12:17:39.000000000 -0400
+++ ImageMagick-6.2.5/magick/image.c 2006-01-09 10:09:33.000000000 -0500
@@ -2861,8 +2861,16 @@
             char
               format[MaxTextExtent];

+ /* Extract first numeric format specifier */
             (void) CopyMagickString(format,p,MaxTextExtent);
+ if (q-p+1 < MaxTextExtent)
+ format[q-p+1]='\0';
+ /* Expand format */
             (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
+ /* Copy rest of string verbatim without further expansion */
+ (void) ConcatenateMagickString(filename,
+ image_info->filename+(q-filename)+1,
+ MaxTextExtent);
             break;
           }
       }
--- ImageMagick-6.2.5/magick/blob.c.format-string-again 2005-09-28 15:00:17.000000000 -0400
+++ ImageMagick-6.2.5/magick/blob.c 2006-01-09 10:09:33.000000000 -0500
@@ -2135,8 +2135,17 @@
             char
               format[MaxTextExtent];

+ /* Extract first numeric format specifier */
             (void) CopyMagickString(format,p,MaxTextExtent);
+ if (q-p+1 < MaxTextExtent)
+ format[q-p+1]='\0';
+ /* Expand format */
             (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
+ /* Copy rest of string verbatim without further expansion */
+ (void) ConcatenateMagickString(filename,
+ image_info->filename+(q-filename)+1,
+ MaxTextExtent);
+
             break;
           }
       }
--- ImageMagick-6.2.5/magick/animate.c.format-string-again 2005-10-23 22:15:16.000000000 -0400
+++ ImageMagick-6.2.5/magick/animate.c 2006-01-09 10:15:17.000000000 -0500
@@ -606,8 +606,33 @@
               /*
                 Form filename for multi-part images.
               */
- (void) FormatMagickString(filename,MaxTextExtent,
- image_info->filename,scene);
+ (void) CopyMagickString(filename,image->filename,MaxTextExtent);
+ for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+ {
+ char
+ *q;
+
+ q=p+1;
+ if (*q == '0')
+ (void) strtol(q,&q,10);
+ if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
+ {
+ char
+ format[MaxTextExtent];
+
+ /* Extract first numeric format specifier */
+ (void) CopyMagickString(format,p,MaxTextExtent);
+ if (q-p+1 < MaxTextExtent)
+ format[q-p+1]='\0';
+ /* Expand format */
+ (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
+ /* Copy rest of string verbatim without fur...

Read more...

On Mon, Jan 09, 2006 at 10:18:13AM -0500, Matthias Clasen wrote:
> Ah, got it now. Does this look more complete ?

Yes, but there are still a few more places to fix. The attached patch
for 6.2.4.5 should be fairly complete, apart from a few odd places in
coders/, but those fall more into the scope of CVE-2005-4601. Mind,
though, that I'm still testing the fix, so some polishing might be
needed still.

Regards,

Daniel.

Debian Bug Importer (debzilla) wrote :
Download full text (8.4 KiB)

Message-ID: <email address hidden>
Date: Tue, 10 Jan 2006 17:03:55 +0100
From: Daniel Kobras <email address hidden>
To: Matthias Clasen <email address hidden>, <email address hidden>
Subject: Re: Bug#345876: imagemagick: New format string vulnerability in SetImageInfo().

--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Jan 09, 2006 at 10:18:13AM -0500, Matthias Clasen wrote:
> Ah, got it now. Does this look more complete ?

Yes, but there are still a few more places to fix. The attached patch
for 6.2.4.5 should be fairly complete, apart from a few odd places in
coders/, but those fall more into the scope of CVE-2005-4601. Mind,
though, that I'm still testing the fix, so some polishing might be
needed still.

Regards,

Daniel.

--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="im_format_string.diff"

diff -r 8a3cbd342315 magick/animate.c
--- a/magick/animate.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/animate.c Tue Jan 10 16:55:22 2006 +0100
@@ -604,7 +604,7 @@
               /*
                 Form filename for multi-part images.
               */
- (void) FormatMagickString(filename,MaxTextExtent,
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
                 image_info->filename,scene);
               if (LocaleCompare(filename,image_info->filename) == 0)
                 (void) FormatMagickString(filename,MaxTextExtent,"%s[%lu]",
diff -r 8a3cbd342315 magick/blob.c
--- a/magick/blob.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/blob.c Tue Jan 10 16:55:22 2006 +0100
@@ -2120,25 +2120,8 @@
       /*
         Form filename for multi-part images.
       */
- (void) CopyMagickString(filename,image->filename,MaxTextExtent);
- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
- {
- char
- *q;
-
- q=p+1;
- if (*q == '0')
- (void) strtol(q,&q,10);
- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
- {
- char
- format[MaxTextExtent];
-
- (void) CopyMagickString(format,p,MaxTextExtent);
- (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
- break;
- }
- }
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,image->filename,
+ image->scene);
       if (image_info->adjoin == MagickFalse)
         if ((image->previous != (Image *) NULL) ||
             (GetNextImageInList(image) != (Image *) NULL))
diff -r 8a3cbd342315 magick/display.c
--- a/magick/display.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/display.c Tue Jan 10 16:55:22 2006 +0100
@@ -1984,7 +1984,7 @@
               /*
                 Form filename for multi-part images.
               */
- (void) FormatMagickString(filename,MaxTextExtent,
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
                 image_info->filename,scene);
               if (LocaleCompare(filename,image_info->filename) == 0)
                 (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r...

Read more...

On Tue, Jan 10, 2006 at 05:03:55PM +0100, Daniel Kobras wrote:
> On Mon, Jan 09, 2006 at 10:18:13AM -0500, Matthias Clasen wrote:
> > Ah, got it now. Does this look more complete ?
>
> Yes, but there are still a few more places to fix. The attached patch
> for 6.2.4.5 should be fairly complete, apart from a few odd places in
> coders/, but those fall more into the scope of CVE-2005-4601. Mind,
> though, that I'm still testing the fix, so some polishing might be
> needed still.
(...)
> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> +% %
> +% %
> +% %
> +% F o r m a t M a g i c k S t r i n g N u m e r i c %
> +% %
> +% %
> +% %
> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> +%
> +% Method FormatMagickStringNumeric formats output for a single numeric
> +% argument. It takes into account that the format string given might be
> +% untrusted user input, and returns the length of the formatted string.
> +%
> +% The format of the FormatMagickStringNumeric method is:
> +%
> +% long FormatMagickStringNumeric(char *string,const size_t length,
> +% const char *format,int value)
> +%
> +% A description of each parameter follows.
> +%
> +% o string: FormatMagickStringNumeric() returns the formatted string in this
> +% character buffer.
> +%
> +% o length: The maximum length of the string.
> +%
> +% o format: A string describing the format to use to write the numeric
> +% argument. Only the first numeric format identifier is replaced.
> +%
> +% o value: Numeric value to substitute into format string.
> +%
> +%
> +*/
> +MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value)
> +{
> + char
> + *p;
> +
> + (void) CopyMagickString(string, format, length);
> +
> + for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
> + {
> + char
> + *q;
> +
> + q=(char *) p+1;
> + if (*q == '0')
> + (void) strtol(q,&q,10);
> + if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
> + {
> + char
> + c;
> +
> + q++;
> + c=*q;
> + *q='\0';
> + (void) snprintf(string+(p-format),length-(p-format),p,value);
> + *q=c;
> + (void) ConcatenateMagickString(&string,q,length);

Bah, scratch that &, even. Forgot to fix that one before sending.

Sorry,

Daniel.

Debian Bug Importer (debzilla) wrote :
Download full text (3.2 KiB)

Message-ID: <email address hidden>
Date: Tue, 10 Jan 2006 19:03:55 +0100
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Cc: Matthias Clasen <email address hidden>
Subject: Re: Bug#345876: imagemagick: New format string vulnerability in SetImageInfo().

On Tue, Jan 10, 2006 at 05:03:55PM +0100, Daniel Kobras wrote:
> On Mon, Jan 09, 2006 at 10:18:13AM -0500, Matthias Clasen wrote:
> > Ah, got it now. Does this look more complete ?
>
> Yes, but there are still a few more places to fix. The attached patch
> for 6.2.4.5 should be fairly complete, apart from a few odd places in
> coders/, but those fall more into the scope of CVE-2005-4601. Mind,
> though, that I'm still testing the fix, so some polishing might be
> needed still.
(...)
> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> +% %
> +% %
> +% %
> +% F o r m a t M a g i c k S t r i n g N u m e r i c %
> +% %
> +% %
> +% %
> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> +%
> +% Method FormatMagickStringNumeric formats output for a single numeric
> +% argument. It takes into account that the format string given might be
> +% untrusted user input, and returns the length of the formatted string.
> +%
> +% The format of the FormatMagickStringNumeric method is:
> +%
> +% long FormatMagickStringNumeric(char *string,const size_t length,
> +% const char *format,int value)
> +%
> +% A description of each parameter follows.
> +%
> +% o string: FormatMagickStringNumeric() returns the formatted string in this
> +% character buffer.
> +%
> +% o length: The maximum length of the string.
> +%
> +% o format: A string describing the format to use to write the numeric
> +% argument. Only the first numeric format identifier is replaced.
> +%
> +% o value: Numeric value to substitute into format string.
> +%
> +%
> +*/
> +MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value)
> +{
> + char
> + *p;
> +
> + (void) CopyMagickString(string, format, length);
> +
> + for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
> + {
> + char
> + *q;
> +
> + q=(char *) p+1;
> + if (*q == '0')
> + (void) strtol(q,&q,10);
> + if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
> + {
> + char
> + c;
> +
> + q++;
> + c=*q;
> + *q='\0';
> + (void) snprintf(string+(p-format),length-(p-format),p,value);
> + *q=c;
> + (void) ConcatenateMagickString(&string,q,length);

Bah, scratch that &, even. Forgot to fix that one bef...

Read more...

retitle 345876 [CVE-2006-0082] imagemagick: New format string vulnerability in SetImageInfo().
thanks

On Wed, Jan 04, 2006 at 02:05:20AM +0100, Daniel Kobras wrote:
> As this is really is a new vulnerability, I assume CAN-2005-0397
> should not be reused. Security team, can you please confirm and
> possibly provide a new CVE ID?

Just spotted that this problem has been assigned CVE-2006-0082. Thanks
to whoever requested the id.

Regards,

Daniel.

severity 348453 normal
tags 347486 + patch
merge 347486 348453
tags 345595 + pending
tags 345876 + pending
tags 347486 + pending
thanks

Download full text (3.3 KiB)

tag 344997 + fixed
tag 345238 + fixed
tag 345595 + fixed
tag 345876 + fixed
tag 347486 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Jan 2006 18:33:58 +0100
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 6:6.2.4.5-0.6
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 344997 345238 345595 345876 347486
Changes:
 imagemagick (6:6.2.4.5-0.6) unstable; urgency=high
 .
   * Non-maintainer upload.
   * magick/display.c: In DisplayImageCommand(), expand command line before
     allocating ressources based on argc. Patch and analysis thanks to
     Eero Häkkinen. Closes: #345595
   * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c,
     string_.h}: Implement new utility function FormatMagickStringNumeric()
     to securely expand a user-supplied format string with a single numeric
     argument. Adjust code to use this function where appropriate.
     (CVE-2006-0082) Closes: #345876
   * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h,
     magick/methods.h: Do not call external delegates with user-supplied
     filename, but with securely named symlinks only to prevent shell command
     injection (CVE-2005-4601). Closes: #345238
   * debian/rules: Make sure to include trailing spaces in multi-line
     commands to keep recent make happy. Cures problems with ghostscript
     font path. Fix thanks to Jeff Lessem. Closes: #347486
   * debian/imagemagick.mime: Rather than autodetect the type of an image,
     derive it from the mime type. As a side effect, this change allows to
     use arbitrary filenames with the 'see' command, even if they have
     special meaning to imagemagick internally. Also clean up some typos
     and superfluous entries once we're at it. Closes: #344997
Files:
 30814283b7a2257d49bc44b0b1b0de97 893 graphics optional imagemagick_6.2.4.5-0.6.dsc
 ea4efd97b724dc512db2a5a9d8fd4581 32179 graphics optional imagemagick_6.2.4.5-0.6.diff.gz
 f611cd8c9f58f199a610b17d1fd6c7dc 1614628 graphics optional imagemagick_6.2.4.5-0.6_i386.deb
 ac0eeefb70766c3ea21eed536e26b7ef 1309702 libs optional libmagick9_6.2.4.5-0.6_i386.deb
 574ca13393d8d0807b11ac4ca6fcf1e6 1662360 libdevel optional libmagick9-dev_6.2.4.5-0.6_i386.deb
 44f050ec89912e6fc5ba42216dc9784b 167724 libs optional libmagick++9c2a_6.2.4.5-0.6_i386.deb
 02a57c2d5427de29e293c99294e5da32 226508 libdevel optional libmagick++9-dev_6.2.4.5-0.6_i386.deb
 bcb5b44c1a9d0f56ef9cc1d9a3acd41c 170192 perl optional perlmagick_6.2.4.5-0.6_i386.deb

-----BEG...

Read more...

Martin Pitt (pitti) wrote :

Fixed some days ago in USN-246-1

Changed in imagemagick:
status: Confirmed → Fix Released

Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #345876 in the imagemagick
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam

Download full text (3.2 KiB)

# Hi,
#
# Now that the BTS supports version-tracking, bugs that were
# fixed in NMUs but never acknowledged can be marked as
# closed in the relevant version. In the case of the bugs listed
# below, they're marked as release-critical in the version of the
# package to which they apply. The release team need to be able to
# accurately determine whether any of the bugs still affect "etch", so
# they're now being closed with version information.
#
# This doesn't affect the maintainer's ability to tell whether
# the bug is currently fixed in any particular Debian distribution
# as the BTS can now display "bugs open in unstable", "bugs open in
# version X-Y" and so on.
#
# See http://lists.debian.org/debian-devel-announce/2005/07/msg00010.html
# and http://lists.debian.org/debian-devel-announce/2005/10/msg00006.html
# for more information on version tracking.
#
# Separate mails are being sent to each bug's submitter

close 345238 6:6.2.4.5-0.6
close 345238 4:5.4.4.5-1woody8
close 345238 6:6.0.6.2-2.6
close 352714 0.3.14-10.1
close 345595 6:6.2.4.5-0.6
close 345595 4:5.4.4.5-1woody8
close 345595 6:6.0.6.2-2.6
close 345876 6:6.2.4.5-0.6
close 345905 0.2.7-2.sarge2
close 346085 1.0-1.1
close 346244 1.4pre.20050518-0.2
close 346262 0.50.0-1.3
close 346263 2.0.12-1.6
close 346264 1:1.2.3-9.2
close 346284 0.50.0-1.4
close 362912 0.50.0-1.4
close 346485 1.4pre.20050518-0.3
close 346610 1.8-1.1
close 346613 3.7p3-2.1
close 346615 0.8.0-3.1
close 346616 1.1-1.1
close 346617 1.0-7.1
close 346627 0.9.1-13
close 346630 1.1-13.1
close 346634 1.5-3.2
close 346635 0.2.4-4.2
close 346659 0.9.14-1.1
close 346664 0.2.3-1.1
close 346668 3.1.0-5.1
close 346669 1:1.18-2.2
close 346676 1.0.0-2.1
close 349381 1.0.0-2.1
close 346678 0.4.1-1.1
close 346693 0.70-1.1
close 346698 0.2-1.1
close 346699 0.11.46-1.1
close 346705 0.5-2.1
close 346711 3.2.1-3.1
close 346713 3.1.0-7.1
close 347155 3.1.0-7.1
close 346723 0.9.8beta2-4.2
close 346724 2.0.12-8.1
close 346740 1:0.71-1.3
close 346741 0.8.0-1.1
close 346746 0.2002083100+1.0Beta6-2.2
close 346758 1.0-11.1
close 346769 2.5.2.99.pre2+cvs20030224-1.1
close 346772 2.7-3.1
close 346780 2.3.04.3-3.1
close 346782 0.5-5.1
close 346784 5.0.4-2.1
close 346787 3.3.0-5.1
close 346792 2.1a-6.1
close 346797 2.3.02-6.1
close 346807 0.9d-2.1
close 346819 1.2-5.2
close 346821 1.1-1.3
close 346824 2.6-17.1
close 346831 2.2-23.1
close 346836 5.85-3.2
close 346837 3.3.1-8.2
close 346838 2.6-2.1
close 346844 1.0-7.2
close 346852 1:0.5-1.1
close 346864 1.3-2.1
close 346868 9.02-7.1
close 346869 1.10-2.1
close 346870 1.12-13.1
close 346875 0.9.6-1.1
close 346884 1.99.16-8.1
close 346886 0.3-2.1
close 346895 0.6c-1.1
close 346899 0.5.1-1.1
close 346909 8.0.5-11.1
close 347163 8.0.5-11.1
close 346910 1.2-1.1
close 346912 4.0b2-15.2
close 346915 1.9-3-4.1
close 346918 0.9.33-1.1
close 346935 1.2.0-1.1
close 346941 1.1.1-4.1
close 346949 0.85-5.6
close 346952 3.0-9.1
close 346953 1.0.1-2.1
close 346954 0.2.9b-2.1
close 346959 0.5-7.1
close 346962 2.13.2-7.1
close 346966 1.0.3-1.1
close 346969 0.98-6.1
close 346973 1.3.1-4.1
close 346979 1.5-16.1
close 368565 6.3.2-2.1
close 368913 0.4.1-1.2
close 368938 0.3.0-alpha1-8.1
close 368962 3.003-gm1-2.1
...

Read more...

Changed in imagemagick:
status: Fix Committed → Fix Released
Download full text (14.1 KiB)

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.diff.gz
imagemagick_6.2.4.5.dfsg1-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.dsc
imagemagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick9_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1_i386.deb
perlmagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <email address hidden> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Apr 2007 18:00:10 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 214623 317083 318176 325651 325720 330666 333616 335111 339548 340401 344997 345238 345595 345876 347486 349264 351498 352575 358148 360362 360400 364826 381831 383314 383314 385062 386964 393025 395830 398183 401047 404477 410435 412945 417237 418057 419274 420353
Changes:
 imagemagick (7:6.2.4.5.dfsg1-1) unstable; urgency=high
 .
   * New maintainers.
   * debian/compat: Splice debhelper version out of debian/rules into
     separate file (but don't bump version).
   * debian/control: Adjust jasper dependencies to current package names.
     Closes: #419274, #420353
   * Documentation minors improvements:
     - Manpages says SEE ALSO, not SEE-ALSO. Closes: #333616
     - Escaped specials chars in manpages. Closes: #381831
     - External reference in convert(1). Closes: #398183
     -...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.